The Hogan Lovells Privacy Team looks forward to seeing many of you this week at the International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C. We are delighted to once again participate in the Summit as a gold level sponsor and hope you will visit us at Booth 7 in the Exhibition Hall to learn more about our Global Privacy and Information Management Practice. Hogan Lovells attorneys will also be featured at a number of breakout sessions: Continue Reading
The French data protection authority (the Commission Nationale de l’Informatique et des Libertés – CNIL) has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting.
Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation requires that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated). Continue Reading
Isabelle Falque-Pierrotin, the recently reelected president of the French Data Protection Authority, the CNIL, was elected today to head the Article 29 Working Party for two years effective immediately. The Article 29 Working brings together representatives of data protection authorities of the EU Member States, the European Data Protection Supervisor, and other European data protection authorities as observers. The Working Party is influential in its examination and pronouncements on EU data protection matters, and is charged with giving expert advice to the member states regarding data protection, with promoting equal application of the Data Protection Directive in all EU member states and with giving the European Commission input on data protection matters. Continue Reading
For an in-depth analysis of the new U.S. cybersecurity Framework, click here.
With cyberattacks prompting litigation, regulatory inquiries, and reactions from customers and media outlets on an almost daily basis, companies of every type are considering what they should be doing now to address the risks of cyber intrusions and data security breaches. Continue Reading
HHS has issued new guidance addressing when it is appropriate under the HIPAA Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. Continue Reading
On February 18, Puerto Rican insurer Triple S Salud revealed that it will face a $6.8 million fine for violating the Health Insurance Portability and Accountability Act (“HIPAA”). According to an 8-K filing submitted to the Securities and Exchange Commission (“SEC”), the Puerto Rico Health Insurance Administration notified Triple S on February 11, 2014, regarding its plans to sanction the insurer for HIPAA violations resulting from a 2013 breach of protected health information. The Health Insurance Administration also plans to impose administrative sanctions on the insurer, including the suspension of new enrollments into one of its plans and the obligation to notify affected individuals of their right to disenroll. Continue Reading
In June 2013, the French National Commission on Information Technology and Liberties (Commission Nationale de l’Informatique et des Libertés, “CNIL”) announced that, following a question of Member of European Parliament Françoise Castex, it was going to investigate IP Tracking practices that e-commerce sites allegedly used to illegitimately increase their prices. This investigation was carried out in close connection with the French Directorate General for Competition Policy, Consumer Affairs and Fraud Control (Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes, “DGCCRF”). In January 2013, MEP Françoise Castex had already alerted the European Commission about this alleged unfair commercial practice. The Commission concluded that national authorities in charge of protecting personal data were competent as the IP address is personal data. Continue Reading
On Monday, a federal district court dismissed two related putative class action suits filed against Nationwide Mutual Insurance Company following a data breach at Nationwide in October 2012 that affected over 1 million individuals. The opinion shows that courts remain skeptical of plaintiffs’ ability to show any real injury from the fact that their personally identifiable information (“PII”) was compromised without some additional evidence of concrete harm such as identity fraud. The opinion also sheds important light on the ability of plaintiffs to overcome this standing barrier by alleging that their injury derives from the violation of a federal statute.
On February 12 at a White House event headlined by two Cabinet Secretaries, the President’s Chief of Staff, and three CEOs, the National Institute of Standards and Technology (NIST) released version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity” (Framework). Likely to become a highly influential benchmark for assessing the reasonableness of corporate cybersecurity programs, the Framework was developed with input from hundreds of private sector, governmental, and other experts pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. Continue Reading
On January 27, the European Agency for Fundamental Rights (FRA), an official agency of the European Union (EU), released its report on Access to Data Protection Remedies in EU Member States. As detailed below, the FRA concluded that redress mechanisms for data protection violations in the EU need improvement. More Specifically, the FRA found that data protection authorities (DPAs) do not have sufficient powers or resources, there are not enough judges and lawyers with adequate knowledge of data protection issues, civil society organizations (e.g., consumer interest and privacy advocacy groups) have difficulty bringing suits on behalf of victims of data protection breaches, the costs and burdens of proof associated with data protection suits are too high, and Europeans lack awareness of remedies for data protection violations. Continue Reading